Evolving the Noise out of InfoSec Using Law Enforcement Paradigms

Explore law enforcement paradigms to evolve information security practices and reduce operational noise in this conference talk from Converge 2016. Learn about effective detection methods, including event classification, triage prioritization, and suspect-centric investigations. Discover how to implement host analysis, connect facts, and develop new hypotheses using Modus Operandi modeling and link analysis. Gain insights into creating evidence boards, utilizing bioinformatics tools like Cytoscape, and identifying patterns to separate signal from noise in security operations.

Intro
WitFoo Mission
Research Effectively
Detection 1.0 - Event Proan
Detectio Classification
Detection 1.1 - Classification
Detection 1.2 -Triage Part 1: Priority
Suspect Centric Investigations WANTED
Detection 2.0 - Host Analysis
Connecting Facts
New Hypothesis • Using Modus Operandi modeling, events can be connected to produce operational levels of higher level events reducing operational strain. • Plan: Create sets of member types and query flow tools to look for connections between the sets.
What is the right MO?
Not all Gang Murders are Drive-bys
Synthetic MO Candidate Experiment . Check every possible pathway (n factorial) (5,040 for 7 sets)
Detection 3.0 - MO Analysis
30 Bullets = 30 Investigations?
Evidence Board - Link Analysis
New Hypothesis • Using Link Analysis, events can be connected to produce operational levels of higher level events reducing operational strain. . Plan: Connect incidents from 3.0 using Bioinformatics (cytoscape)
4.0 - Link Board (via Cytoscape)
"Cloud of Death" = Noise
Bad Tips
Beta Program